Agency Software System Safety Management by NASAdocs

VIEWS: 44 PAGES: 18

									                                     Mission Success Starts With Safety




        Believe it or not,
   Software Assurance Affects
            You Too


                                               Martha S. Wetherholt
                         NASA Office of Safety & Mission Assurance
                                           mwetherh@hq.nasa.gov

Protecting the Public, Astronauts and Pilots, the NASA Workforce, and
                 High-Value Equipment and Property
                                                              Success Starts with Safety

             What is Software Assurance

 Software Assurance (SA) includes:
 • Software Quality Engineering
 • Software Assurance of Product and Processes
 • Software Safety
 • Software Independent Verification & Validation
   (IV&V)
 • Software Reliability
                                              It is,
                       Software Risk Management

NASA Office of Safety and Mission Assurance   March 7, 2002                       (2)
                                                              Success Starts with Safety

          What Makes Software, Safety Critical?



                 Software that directly or indirectly
                  contributes to the occurrence of a
                       hazardous system state




NASA Office of Safety and Mission Assurance   March 7, 2002                       (3)
                                                              Success Starts with Safety


           What Makes Software Hazardous?

 Software is hazardous if it:
 • Controls hazardous or safety critical hardware
 • Monitors safety critical hardware as part of a hazard
   control
 • Provides information upon which a safety-related
   decision is made
 • Performs analysis that impacts automatic or manual
   hazardous operations
 • Verifies hardware hazard controls
 • Is used to verify safety critical hardware and/or software
 • Is used to model or simulate safety critical applications


NASA Office of Safety and Mission Assurance   March 7, 2002                       (4)
                                                              Success Starts with Safety


             Software Safety - Why care?

 • One or more people are injured or worse
 • Regulatory requirements (e.g. OSHA, UL,
   etc.)
 • NASA requirements
 • Liability if software fails
 • Reputation (business or personal)
 • “Good practice” for mission critical or
   business critical software

NASA Office of Safety and Mission Assurance   March 7, 2002                       (5)
                                                              Success Starts with Safety
               Why Should We Care,
               What does it have to do with me?
 • Software control of facilities
       –   Wind tunnels
       –   Simulators
       –   Centrifuges
       –   Shake & Bake
       –   EMI testing
       –   Engine Checkout
       –   Etc.
 • Software control and monitoring of safety critical
   projects which run in changeable labs
 • Labs/Tools
       –   Vibe tables ……..

NASA Office of Safety and Mission Assurance   March 7, 2002                       (6)
                                                              Success Starts with Safety

              What should be done

• Train Area Safety Managers/Health and Safety Personnel
• Invite Software Assurance along on Facility set up and changes
• Ask the right Questions
    – How is this experiment/facility controlled
    – How is it monitored
    – What is the human interface
    – Does software detect and react to safety critical situations
          •   How – what is it expected to do
    – What testing was performed on the Consumer Off the Shelf (COTS)
      Software Purchased to operate the Facility/Experiment
    – What software development processes are to be used to develop the
      software – including Application SW
    – How are the COTS and Applications written Configuration Managed
    – Does the Software perform a logging function to track faults, failures,
      errors, etc. How often is it viewed? By who?

NASA Office of Safety and Mission Assurance   March 7, 2002                       (7)
                                                              Success Starts with Safety

            Creating Safer Software & Safer Systems

    • Good SW Development Process
    • Development Tools
    • Appropriate Reviews
       – Diverse Review Teams
       – Formal Inspections
    • Communication
    • Appropriate Analysis, both Safety &
      Development
    • Caveat Emptor

NASA Office of Safety and Mission Assurance   March 7, 2002                       (8)
                                                              Success Starts with Safety

             Safety Verification Testing
     • Safety tests designated for each hazard control.
     • Verify partitions, firewalls, or other software constructs that
       isolate safety critical code.
     • “Fail” the hazard controls in a multi-tolerant system. For
       example, in a two-fault-tolerant system (three controls), try
       all combinations of two failures.
     • Verify hazardous commands.
     • Verify software correctly handles out of sequence
       commands, hazardous commands issued in an incorrect
       state, and other possible errors.
     • Software Safety (usually SQA) should witness all software
       safety testing.



NASA Office of Safety and Mission Assurance   March 7, 2002                       (9)
                                                              Success Starts with Safety
              When COTS Software Is Used
              SOUP (SW of Uncertain Parentage)
    • Is this a case of Reuse?
          –   Previous environmental criteria may or may not be valid
              in the new system.
    • Must test COTS for ways it can fail. STAND-ALONE
    • Must test for how system faults/failures affect the
      COTS and the applications they run on.
    • How does your application software respond to those
      failures – how does it effect the system, humans, etc.?
    • What of unused portions/features of COTS software?
      Can they influence the safety critical operations &
      monitoring.
    • Stand-alone testing of all functionality prior to
      integration in lab or facility.
    • How much Glue-ware and/or wrappers.
NASA Office of Safety and Mission Assurance   March 7, 2002                       (10)
                                                              Success Starts with Safety

             What are we asking you to do?
• Be AWARE
    –   Know what to look for
    –   What Questions to ask
    –   What are you buying
• Be Proactive
• Put Software into Assessment
  process & plan
• Train your people
• Document safety requirements
  then Test for them
• Work with SW Assurance
NASA Office of Safety and Mission Assurance   March 7, 2002                       (11)
                                                              Success Starts with Safety

                                     Background/Extras




NASA Office of Safety and Mission Assurance   March 7, 2002                       (12)
                                                              Success Starts with Safety

             What Software is included

 • Software
 • Firmware
 • Programmable Logic Devices
 • ASICs - Application Specific Integrated Circuits
 • FPGAs - Field Programmable Gate Arrays
 • COTS Software
       –   Program Logic Control
       –   Databases
       –   Operating Systems
       –   Ad infinitum



NASA Office of Safety and Mission Assurance   March 7, 2002                       (13)
                                                              Success Starts with Safety

                 Categories of S/W Safety Functions

    • Caution And Warning Functions
    • Failure Detection, Isolation, and R---------
          –   Recovery
          –   Restart
          –   Reduced operation
    • Automatic safing software
          –   Hot, Warm, Cold Backup
    • Autonomous Decision Making & Operation




NASA Office of Safety and Mission Assurance   March 7, 2002                       (14)
                                                              Success Starts with Safety

                   Safety critical software is:


       Software which controls or monitors safety critical
        functions including mitigation of hazards
       Software which runs on the same system as safety
        critical software or impacts systems which run
        safety critical software
       Software which handles safety critical data
       Software used to verify and validate safety critical
        hardware and software




NASA Office of Safety and Mission Assurance   March 7, 2002                       (15)
                                                              Success Starts with Safety

                    Categories of S/W Safety Functions
    • Must work/must not work functions
          –   Mode and State Dependent
          –   Must never work
          –   Must never fail to work
    • Fault tolerance
          –   Redundancy
          –   How many levels and where are they best put
    • Multiple Commanding (Ready, Arm, Fire)




NASA Office of Safety and Mission Assurance   March 7, 2002                       (16)
                                                              Success Starts with Safety

             Stability/Reliability Testing
    • How well does the system operate for extended
      periods of time?
    • System is run in normal mode of operation -
      occasional peak performance allowed, but not stress
      testing the system.
    • Can the system handle intermittent bad data?
    • Is there a sensitivity to event sequences?
    • Does memory leakage cause problems after a period
      of time?




NASA Office of Safety and Mission Assurance   March 7, 2002                       (17)
                                                              Success Starts with Safety

                        Summary

    • Determine software control and complexity
    • Determine each software portions’ contribution to
      safety
    • Establish categories with a cross index to hazard
      level
    • Determine a level of effort needed to assure safer
      software
    • Further tailor the effort to your particular needs
      and situation



NASA Office of Safety and Mission Assurance   March 7, 2002                       (18)

								
To top